Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Flatcar users safe from CVE-2024-3094 #1410

Closed
jepio opened this issue Apr 1, 2024 · 5 comments
Closed

Flatcar users safe from CVE-2024-3094 #1410

jepio opened this issue Apr 1, 2024 · 5 comments
Labels
advisory security advisory security security concerns

Comments

@jepio
Copy link
Member

jepio commented Apr 1, 2024

Name: lzma/xz + ssh
CVEs: CVE-2024-3094
CVSSs: 10.0
Action Needed: no action needed

Summary:
XZ was compromised, which lead to a RCE vulnerability in distributions that patch OpenSSH to link against libsystemd.

No Flatcar version/release shipped with the compromised xz version (5.6.0+), the latest version of xz in any version of Flatcar was 5.4.6.
Flatcar does not patch OpenSSH to link against libsystemd, so the attack vector was also not possible in Flatcar.
Flatcar users are safe from CVE-2024-3094.

refmap.gentoo: https://bugs.gentoo.org/928134

@jepio jepio added security security concerns advisory security advisory labels Apr 1, 2024
@jepio jepio pinned this issue Apr 1, 2024
@jepio jepio changed the title Flatcar safe from CVE-2024-3094 Flatcar users safe from CVE-2024-3094 Apr 1, 2024
@pothos
Copy link
Member

pothos commented Apr 2, 2024

To add: The 5.6 ebuild files were copied to our Gentoo package repo inside the scripts directory but wasn't used so far, not in Alpha and also not in the nightlies. I've opened a PR to delete them: flatcar/scripts#1816

Note that the investigation is still not finished, because the xz 5.4 release also contains changes from the malicious contributor and we'll have to see if anything further pops up and if there will be a "known-good" 5.4 release we can migrate to.

@dongsupark dongsupark moved this from 📝 Needs Triage to 🪵Backlog in Flatcar tactical, release planning, and roadmap Apr 2, 2024
@dongsupark
Copy link
Member

Side note: the same author of xz backdoor also did a suspicious change in libarchive, and it was reverted a few days ago. Although it is not clear at the moment if that should be considered a security issue, Gentoo already updated app-arch/libarchive to 3.7.2-r3, by backporting the revert. See also https://bugs.gentoo.org/928146.

@pothos
Copy link
Member

pothos commented Apr 2, 2024

We've downgraded to 5.4.2 as Gentoo did, because this is early enough to exclude most other possibly malicious changes. We can also think of rebuilding the SDK from an older seed SDK but we first need to check if we can use one seed for all channels.

Found that this Alpha's SDK would have the same xz-utils version: https://alpha.release.flatcar-linux.net/amd64-usr/3602.0.0/flatcar_production_image_packages.txt

@ader1990
Copy link

ader1990 commented Apr 3, 2024

FYI: Out of precaution, there is this check added recently to upstream Gentoo gentoo/gentoo@8257744

@dongsupark
Copy link
Member

Now that all channels were released with xz-utils 5.4.2 to be pre-cautious, let's close.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
advisory security advisory security security concerns
Projects
None yet
Development

No branches or pull requests

4 participants